You all are probably aware of Cobalt Strike - one of the most popular attack frameworks for Red Teams. Unfortunately, threat actors have also been abusing this tool. Countless attack campaigns have been observed using Cobalt Strike beacons. There’s some good news though. A Cobalt Strike DoS exploit has been found that permits the blocking of beacon of C2 communication channels and deployments.
Into the thick of it
The DoS vulnerabilities—Hotcobalt—are tracked as CVE-2021-36798 and have been spotted in the latest versions of the Cobalt Strike server.
- One of these bugs can register fake beacons by doling out large files of fake screenshots or tasks to a particular server. As a result, the server crashes.
- Pre-installed beacons are rendered, and hence, new beacons cannot be installed on infected systems.
Why it matters
Restricting live beacons from communicating with the C2 server would restrict attackers from moving further unless a new configuration is performed. In a nutshell, this vulnerability can majorly impede ongoing operations.
There’s a catch
While used by attackers on a regular basis, Cobalt Strike is a legitimate penetration testing tool. Therefore, while Hotcobalt can be used by threat actors, it can also be used by law enforcement and security teams to take down malicious infrastructure.
The bottom line
Research into attack frameworks, such as Cobalt Strike, still falls into the niche category. Nevertheless, this latest development, as well as further investigation, will possibly allow users to circumvent such bugs.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_116047306.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_379126897.jpg)
